Software, your way.
How To Get Good Custom Software
(Download)
(PDF)
burger menu icon
WillMaster

WillMaster > LibrarySecurity and Blocking

FREE! Coding tips, tricks, and treasures.

Possibilities weekly ezine

Get the weekly email website developers read:

 

Your email address

name@example.com
YES! Send Possibilities every week!

Ways to Block Automatic Form Spam

There are two types of form spam.

One is the type of spam that occurs when a robot automatically fills in form fields and submits the form. It is the type of form spam this article addresses.

A second type of form spam is when a human pastes unwanted drivel into a form and submits it. Such spam can be reduced, but the techniques are outside the scope of this article.

Here, you will find practical information for blocking automated form spam by robots. There is no specific code. Instead, the article is designed to impart a general understanding of how the methods work.

The "prove you are human" method, sometimes called CAPTCHA, is not addressed here other than to say I do not like CAPTCHA at all and won't use forms that require it unless I absolutely have to.

The methods here can be used with forms that are inviting rather than deterring.

In other words, the form can be ready to use — as is.

Nothing extra needs to be done. The person fills in the form and submits — and is good to go.

Yet, bots get blocked.

Form Pulled in With JavaScript

Probably the easiest method is to pull the form in with a script tag.

The form is in a separate file. It has either been pre-converted to JavaScript or is converted on demand when it is imported.

The method described at Import Text as JavaScript can be used to retrieve the form from your file and insert it into the web page.

When the form is not on the web page, the bot is unaware of it.

Please note, however, that some bots will pull in script content to look for forms.

Diversion

More effective bot-blocking is the diversion.

With the diversion, the form tag's action attribute has a value of an incorrect URL. After the form is loaded into the browser, only then does JavaScript update the action attribute with the correct URL.

Because some bots may wait a second or so to see if the action attribute changes, the attribute may be updated after a pause. Either of these should work:

  • Update the action value when a couple seconds have passed since the page has loaded.

  • Update the action value when a required form field is clicked or tapped.

It may be prudent to do code-obfuscation on the correct URL so the bot doesn't pick it up with a quick scan.

Relatively Simple Form Spam Prevention presents nuances of the diversion idea.

Form Delivered With Ajax

Ajax can be used to pull in a form and flow it into a div coded for it.

When no form is on the page, the bot sees no form.

One way to do this is described at the Ajax Form System article.

Because some bots may pause for a second or so to see if the page changes, the Ajax may be coded to pull in the form after a few seconds have elapsed.

Non-Form Form

With the CSS contenteditable attribute for divs (and other content tags like span and td), the user can type text into a div. No HTML form fields are required for that.

The "form" content can be "submitted" (sent to the server for processing) with Ajax when the user taps a div that is styled to look like a submit button.

That is, basically, how Spam-Free Form works. There is no form tag. There are no HTML form text fields. In fact, there are no type="input" fields at all. (The Willmaster contact form is a working example of a spam-free form.)

A form-seeking bot won't recognize a spam-free form as a form, because it is not an HTML form.

There are bot-handling form techniques other than those mentioned in this article. The methods here may, however, be the easiest types of techniques to implement.

(This article first appeared with an issue of the Possibilities newsletter.)

Will Bontrager

Was this article helpful to you?
(anonymous form)

Support This Website

Some of our support is from people like you who see the value of all that's offered for FREE at this website.

"Yes, let me contribute."

Amount (USD):

Tap to Choose
Contribution
Method

All information in WillMaster Library articles is presented AS-IS.

We only suggest and recommend what we believe is of value. As remuneration for the time and research involved to provide quality links, we generally use affiliate links when we can. Whenever we link to something not our own, you should assume they are affiliate links or that we benefit in some way.

More "Security and Blocking" Articles

Search Files on the Server

Convert Text to JavaScript

Keeping Image Location Secret

Other Recent Articles from the Library

Capitalizing the First Letter of Words

Fixed-position Table Header

Simple Floating Menu

CSS Drop Shadows for Images

Ajax File Upload

How Can We Help You? balloons
How Can We Help You?
bullet Custom Programming
bullet Ready-Made Software
bullet Technical Support
bullet Possibilities Newsletter
bullet Website "How-To" Info
bullet Useful Information List

© 1998-2001 William and Mari Bontrager
© 2001-2011 Bontrager Connection, LLC
© 2011-2024 Will Bontrager Software LLC